back to article Silicon Valley freeze-out: EU watchdog tells firms clock is ticking to limit data transfers

Companies have been put on notice by Brussel's top privacy bod, who has warned them that the transfer of EU citizens' data to the US must be limited – and this must happen soon. It comes several weeks after a landmark decision in the European Court of Justice nullified the questionable US-EU Safe Harbour Agreement. "No one …

  1. Destroy All Monsters Silver badge
    Paris Hilton

    So..... where is that European Salesforce Center?

  2. Anonymous Coward
    Anonymous Coward

    Why wait, it should have been unlawful as soon as the decision was released.

    1. DavCrav

      "Why wait, it should have been unlawful as soon as the decision was released."

      When laws that result in significant amounts of work for compliance are introduced or repealed, it is reasonable to have a grace period. If a government votes for new accounting rules, they don't say "and they'll come in tomorrow. Why? Fuck you, that's why." They give people time to adjust.

  3. Anonymous Coward
    Anonymous Coward

    I wonder what the credit card companies are going to do? How are they going to fight fraud if they can't collect data from everywhere?

    1. Trigonoceps occipitalis

      I'm sure TalkTalk can help with data.

    2. a_yank_lurker

      Credit and debit card fraud protection relies heavily on monitoring usage patterns. I have had my US bank call me on my cell phone when they thought the pattern was suspicious. They were seeing the transaction in real time and in one case blocked it. Since this type of data monitoring is internal to the bank and is to protect their customer this should be legal everywhere.

      The issue is using surfing data with other personal data to build up a profile for advertising without the users consent.

    3. jonathanb Silver badge

      They can collect data from the US, if you use your card there, or with a company based there, but they can't store or analyse the data there.

      That's fine for dealing with your account. However, to work out that for example everyone who purchased tickets from Heathrow Express over a certain period had fraudulent transactions on their account afterwards, as happened many years ago, and therefore Heathrow Express must be having problems with their security, that would involve analysing data from people in many different countries. If you look at just the UK data, you might have found that most of them had also purchased from Tesco, but bring in the international data, and you will be able to pinpoint the source much better.

      1. yoganmahew


        I don't think that's the case. Look at article 7 of section II:

        "(d) processing is necessary in order to protect the vital interests of the data subject, or"

        for example. If the data centre collecting the credit card usage information for fraud protection purposes is outside the EU, then I believe it is fine, since the collection point is outside the EU.

        The issue at question, though is data transfers, that is, data that is collected in the EU/EEA and transferred out.

        So look at the FAQs on the transfers site - the steps are quite complex, but even if the CC data has been gathered within the EU, it can be transferred within the same company for the use of fraud prevention. It does get tricky when you have to look at each individual data transfer and the components of it.

  4. Doctor Syntax Silver badge

    '"No one wants to see data transfers to stop completely," head of the European Union's Article 29 Working Party, Isabelle Falque-Pierrotin, told Reuters.'

    Why does she think she's talking for everyone. There's no good reason why transfer of data to the US should continue except for transfers for specific cross-Atlantic business transactions initiated by the data subject.

    1. Yet Another Anonymous coward Silver badge

      On Facebook or Linkedin and have contacts in the USA - how are you planning to manage that without copying data ?

      1. Doctor Syntax Silver badge


        Some aspects of Facebook are being looked at by the Irish regulator. In general, however, with social media the data subject initiates the transaction.

        1. Destroy All Monsters Silver badge

          > data subject

          Should be the "data object", right?

      2. a_yank_lurker

        Some data is needed for functionality but with social media the content and interactions are user initiated. However, how much data Facebook, et. al. collect and they use it to sell advertising is another matter.

  5. Queasy Rider

    They should ask themselves, are all these transfers justifiable?

    or even necessary?

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: They should ask themselves, are all these transfers justifiable?

      The World today is full of such questions...

      Finally, there’s the most important aspect of IBM’s identical Big Data approaches to death and customer service: Both are extremely powerful systems that have escaped any kind of human, democratic control. As Ellsberg puts it, the drone study is “unintelligible to anyone who might ask, ‘to what end is all this?’ or ‘do we have the right to be doing this?’ or ‘is this making us more secure, in the mid- to long-term, or on balance less so?’ or ‘is this creating more people who hate us — including the families of EKIAs (unintended victims) — and wish to harm us, than it is eliminating?’”

  6. Sanctimonious Prick

    Yeah, But,

    Not sure I completely understand what this all means, really. I'm gonna take a guess and hope for some feedback.

    U.S. listed company Facebook (FB) have users who are Croatian (member of the EU), and live in Croatia. To comply, Facebook must have (a presence) servers in Croatia where all registered information of the users is stored. However, only a small amount of that registered information may be stored on Facebook servers in the U.S.

    What information is limited?

    Is it only registered information?

    [ Maybe I should do some Yahoo!ing™ a bit more? ]

    What about 'in transit information?'

    What about cached 'in transit information?'

    How much of 'in transit information' can be stored on U.S. servers? And for how long?

    1. jonathanb Silver badge

      Re: Yeah, But,

      It doesn't specifically have to be in Croatia. Ireland, where their EU operation is registered, is fine, they can store it there.

      1. Doctor Syntax Silver badge

        Re: Yeah, But,

        " Ireland, where their EU operation is registered, is fine"

        And it's Ireland's regulator who is now charged with looking into the rest of the questions. That's what the ECJ ruling was about.

    2. Pseu Donyme

      Re: Yeah, But,

      I'd think that many of details of interpreting the law (the data protection directive and related) are yet to end up in the ECJ and before that we strictly speaking don't know what the authoritative interpretation is. In the meantime you could do worse than take a look at Max Schrems' take on some key issues:

      1. yoganmahew

        Re: Yeah, But,

        @Pseu Donyme

        Thanks for the link.

        So basically, you cannot trust any US-based company since they are not permitted, by US law, to admit that they transfer data to the NSA. This includes any non-US company that uses a storage facility in the US or a storage facility operated by a US company (e.g. Amazon, Google, Microsoft clouds).

        Erm, right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like